Saturday, April 12, 2014

Identifying BES Cyber Systems at Substations

I must admit I thought I had the whole CIP
version 5 asset identification thing figured out in early January when I wrote three
posts on the subject. My conclusion
at the time was that, while some of the details were complicated (and some of
the wording of Attachment 1 had to simply be ignored[i]),
the process was at heart fairly simple[ii]:

1.Identify
all of your assets that correspond to one of the six types listed in CIP-002-5
R1 (control centers, substations, etc).

2.Using
the criteria in Attachment 1, classify those assets as High, Medium or Low
impact.

3.At High
and Medium assets, identify BES Cyber Systems.
This is done using either of two approaches, “top-down” or “bottom-up”;
these are described in two old posts, here
and here
(and I need to revisit these in a future post, since my perspective was
different when I wrote those posts).
Both WECC and SPP (and perhaps other regions) recommend you use both
approaches, since it is very possible that using just one will cause you to
miss BCS you would identify using the other.

(At this point, I need to point out that I have been informed there were two errors in the above paragraph, for which I apologize. SPP didn't recommend you use both top-down and bottom-up approaches; they think they're both good but don't need to be used together. I believe Joe Baugh at WECC did recommend you use both, as do I - they are good checks on each other. Second, I'm informed SPP (and probably WECC also) doesn't have an "official" position on this or any other interpretation of CIP v5. I was reporting the content of a webinar presented by Kevin Perry, the chief CIP auditor - but it wasn't SPP's official position. Of course, as I discussed in this post, I wish the regions would take an official position on v5 interpretation, since I don't see anyone else who can)

4.Classify
these BCS according to the classification of the asset itself; a BCS at a High asset will be a High, while
one associated with a Medium
asset/Facility will be a Medium[iii]. The one exception to this rule is for BCS
associated with assets that meet criterion 2.1 (for 1500MW+ plants), where BCS
that don’t affect more than 1500MW aren’t Medium impact, but Low[iv]
(the same consideration applies for reactive resources in criterion 2.2,
although there we’re talking about affecting 1000 MVAR).[v]

5.For Low
impact assets, just list them (i.e. Generating Station X, Substation Y, etc). In general, Low impact assets are BES assets
that aren’t High or Medium impact. Keep
in mind, though, that since R1.3 “defines” a Low impact asset as an “asset that
contains a low impact BES Cyber System”, you may very well have Medium or High
impact assets that are also listed on the Low list (for example, the Criterion
2.1 plant we just discussed would have both Low and Medium impact BCS. As would the Medium substation discussed in footnote v, in which there is a Low impact SPS and therefore a Low BCS, along
with the Medium BCS. Even though these BCS are associated with the Low SPS asset, they are contained by the Medium substation).[vi]

(At this point, you may think I’m crazy to
describe the above process – with five steps and six lengthy footnotes – as
“simple”. And I would be crazy if I were comparing this to the CIP v1-3 process,
which was basically two steps - first,
identify your Critical Assets, then identify your Critical Cyber Assets,
defined as those cyber assets “essential to the operation of” the Critical
Asset[vii]. However, the above general v5 process is the paragon of
simplicity compared to the process that takes account of substations. That process includes all of the
above steps plus a few more, and requires that you parse the language of Attachment
1 as a Biblical scholar would parse the Sermon on the Mount. For more on this depressing assertion, just
read on. You may want to start looking
for a new career, say at McDonald’s).

The above process is essentially what auditors from WECC
and SPP have presented in webinars and workshops
those regions have done, although these aren't official positions of those regions. I don’t know of
any other region where an auditor has actually outlined how they see this process working, although I know that a presentation by one of the registered entities at RFC’s compliance meeting in
March in Cleveland outlined a similar position.
My guess is the other regions will follow suit as well.

So are we all done? Has the asset identification problem been
solved? As I said, I thought it had
after I wrote my posts in early January.
However, I soon started hearing from some transmission entities (mainly
in the Northeast, where it seems the cold weather and snow were keeping these
people indoors and forcing them to concentrate on deeply engaging topics like
CIP-002-5 R1) that there was a lot more to the story, especially when it comes
to substations.

I’ll admit that, when I first heard what
these entities were advocating, I was skeptical. But after talking with a number of these
people, and looking quite closely at criteria 2.4 to 2.8 in Attachment 1, I
have come to the conclusion that the approach they are advocating for BCS
identification in substations is the correct one.

This approach relies on the fact that
criteria 2.4 to 2.8 use the word “Facilities”.[viii] At this point, I must also admit that I have
long considered
the fact that this word appears in those criteria as simply sloppy wording by
the Standards Drafting Team. However, it
seems that – unbeknownst to many of us – there has been a kind of parallel
universe of transmission entities that are very comfortable with discussing
Facilities in the context of a substation.

As an example, let’s look at Criterion 2.4:

Transmission Facilities operated at
500 kV or higher. For the purpose of this criterion, the collector bus for a
generation plant is not considered a Transmission Facility, but is part of the
generation interconnection Facility.

I had interpreted this criterion to mean that
the substation itself was a Medium impact Facility (which I was assuming was
being used synonymously with ‘asset’).
Therefore, all of the BCS associated with it would also be Medium.

How do my Transmission friends interpret
this? They point to the NERC definition
of Facility:

A set of electrical equipment that
operates as a single Bulk Electric System Element (e.g., a line, a generator, a
shunt compensator, transformer, etc.)

So the Facility in Criterion 2.4 (and in 2.5
– 2.8) is an individual line that is connected to the substation, not the
substation itself. This means that the
500kV line is Medium impact in 2.4, and the BCS associated with that line, such
as relays, are also Mediums. But how
about another line, say a 230kV one? The
BCS associated with that line are Low impact, not Medium.[ix]

What about the substation itself? Is it Medium or Low? Here I have to confess that I have been
glossing over a dispute I’ve been having with a couple Interested Parties over
CIP-002-5 in general. They contend that there is no such thing as a
classification for an asset, and they point out that the wording of Attachment
1 is all about classification of BES Cyber Systems – i.e. the criteria are for
BCS, not assets. Therefore, the question
whether the substation is Medium or Low impact is like the question whether
hunger is red or blue.

I contend that a lot of the wording in
CIP-002-5 R1 and Attachment 1 actually supports the position that the assets are being classified; then the
BCS take their classification from the assets.
More importantly, I point out – usually while sporting a very smug look
on my face – that I have yet to talk to a single entity that isn’t in fact
first using Attachment 1 to classify its assets, then identifying BCS at or
associated with the High and Medium assets.
This is what makes the most sense, and it also follows generally the
approach of CIP v1-3: first identify the “big iron” (Critical Assets in v1-3,
High/Medium/Low assets in v5), then the “little iron” at or associated with the
big iron (CCAs in v1-3, High and Medium BES Cyber Systems in v5)[x].

As I said earlier, I plan on doing a whole
post on this argument, so I won’t now go into the mind-numbing details of why I
think I’m right. The good part is that I
believe it really doesn’t matter. I
believe that, whether you describe what you’re doing as classifying BCS (as the
Interested Parties do), or if you describe it as first classifying assets (as I
do) then identifyingand classifying BCS, you should come out
with the same result (assuming you follow the full set of steps above, and
especially use both the “top-down” and “bottom-up” approaches to BCS
identification).

However, since I’m writing this post and I
happen to believe in my way of wording the methodology (which corresponds
fairly closely to WECC’s methodology as far as I can see), I hereby
assert that the substation, as well as the 500kV line, is Medium impact in
criterion 2.4. But this does require
that you suspend the rule I enunciated earlier, that the BCS at or associated
with an asset will take the impact rating of the asset itself (except for
plants that meet criterion 2.1, of course).
How do I now rewrite this rule to accomodate substations? I say, “In a Medium impact substation, the
BCS take the impact rating of the Facility[xi]
with which they are associated.”

Now let’s go back and rewrite the rules for
the more general case. This can now be
called, “Alrich’s General Rule of BCS Identification”.[xii] I expect it to be inscribed on stone tablets
and posted outside NERC’s offices in Atlanta:

1.Identify
all of your assets that correspond to one of the six types listed in CIP-002-5
R1 (control centers, substations, etc).

2.Using
the criteria in Attachment 1, classify those assets as High, Medium or Low
impact, with the following exceptions:

a.Single
units or groups of units at a generating station, that meet criterion 2.3, are
Medium impact, while the remaining units are Low impact.

b.Substations
containing one or more Facilities that meet criteria 2.4 through 2.8 are
themselves Medium impact.[xiii]

3.For High
and Medium assets or Medium Facilities, identify BES Cyber Systems by combining
the “top-down” and “bottom-up” approaches.

4.Classify
these BCS according to the classification of the asset or Facility itself, with
the exception of BCS associated with a generating station that meets criterion
2.1. In that case, classify BCS
according to the rule included in that criterion.

5.List the
Low impact assets.

Are we done now? When I started this post, I thought we would
be. However, as one of my footnotes
mentions, I now realize that not only are criteria 2.4 – 2.8 the exception to
the general rule, but at least one of those criteria – 2.5 – is an exception to
the other criteria. So we’re not done
yet. However, since I’ve been accused by
some scurrilous individuals of writing excessively long blog posts, and since
I’m getting tired anyway, I’ll stop here.
The follow-up post to this one[xiv]
will bring this discussion to its exciting conclusion by considering how
criteria 2.5 through 2.8 will impact my General Rule.

Before we go, I want to ask you a question:
Did you ever realize how complicated the asset identification process in CIP
version 5 would be? Until today, I didn’t
either. Sleep well!

June 6: I have today taken the "Part I" out of the original title to this post, since there will clearly not be a Part II. When I broke off this post, I thought I'd just have to take account of the anomaly I'd just identified (which was Criterion 2.5, the subject of this post from two days ago), then I'd be able to produce a complete methodology for compliance with CIP-002-5 R1 in substations. But over the ensuing weeks it became clear to me that v5 asset identification is even more complicated than I'd realized - in fact, I'll now say that, without clarification from NERC, there is simply no set of steps that can be written down that will comprehensively describe the process. For more information on why I say that, see thisridiculously long post.On the other hand, you haven't wasted your time reading this post. There's nothing I see in here that is wrong - it just isn't the comprehensive picture I at first thought it might be. But a little clarity is probably better than none at all.

All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.

[i]
I was of course not advocating that one should get in the habit of ignoring the
language of the CIP standards! However,
I made the case then – and still do – that it isn’t possible to come up with any consistent interpretation of
CIP-002-5 R1 without ignoring at least some of the language; the requirement is
inconsistently worded, period. So in
January I was outlining the approach that I thought people would in fact take,
and I can confirm that since then I have not talked with a single entity that
is not taking basically this approach.
This isn’t because they’re slavish followers of my blog, but because it
is the approach that makes intuitive sense.
I certainly hope it’s the one the auditors will follow as well; the
initial presentations I’ve seen from WECC, SPP and RFC lead me to believe this
is the case.

[ii]
I admit I have somewhat embellished the steps I listed in the third
post from January. I have made
explicit a step that was implicit in the wording I used, so now I have five
steps, not four.

[iii]
I am being careful in my wording here.
BCS that are High impact are those that are “used by and located at” a
High asset (only control centers are High, of course). BCS that are Medium impact are those “associated
with” a Medium impact BES asset or Facility.
For more on this distinction, see this
post.

[iv]
I have heard it argued that BCS that aren’t Medium in 2.1 and 2.2 aren’t even
Lows – they’re simply out of scope. But
since these are BCS after all (impact
on the BES in 15 minutes, all of that), I don’t see how you can say they aren’t
anything at all. By Attachment 1, BCS that aren't High or Medium impact are Low impact.

[v]
There is another “exception” which really isn’t one. It is very possible there will be BCS located
at a substation, generating station or control center that are actually
associated with another asset. For
example, there may be a Low impact SPS (SPS is one of the six types of assets
listed in R1) located at a Medium impact generating station or substation. As long as the BCS associated with that SPS aren’t
networked with the BCS of the Medium impact substation, they would be Low
impact. My point is that this really isn't an exception, since the BCS associated with the SPS are taking the impact level of that asset, not the substation where they happen to reside.

[vi]
There is another consideration for your list of Lows. You probably know that any asset that meets
the new definition of the BES (basically, elements connected at 100kV+) has to
be at least a Low. Well, that’s not
completely true either. If an asset
doesn’t have any devices associated
with it that meet the definition of cyber asset – “programmable electronic
device” – then it isn’t even a Low; it really is completely out of scope for
CIP v5. This is because CIP-002-5 R1.3
defines a Low asset as one that “contains a low impact BES Cyber System according
to Attachment 1, Section 3...” If there
are no cyber assets at all that are associated with the asset (and I say
“associated with”, not “at”, since that is how Section 3 of Attachment 1
reads), then there obviously can’t be any low impact BCS.

[vii]
I know there were a lot of things that had to be done to comply with each of
these steps in CIP v1-3 – develop your RBAM, inventory your cyber assets,
etc. But I believe these were the two
basic logical steps for CIP versions 1-3.

[viii]
Criterion 2.3 uses that word as well, but regarding generating stations. In that case, it refers to a unit or units at
one plant that have been designated what is sometimes called “Reliability Must
Run”.

[ix] Two points here: 1)You may wonder about lines that are at Distribution voltages, which is now
defined as under 100kV. Are they also
Lows? No, they are nothing at all for
CIP purposes, since purely Distribution assets/Facilities aren’t part of the
scope of CIP v5 (although it was pointed out to me that a Distribution Provider with a cranking path substation, called out in Section 4.2, could have Distribution lines that are Low impact). 2) Keep in mind that if there are enough other Transmission lines at the substation, it may end up meeting Criterion 2.5. Then all of the lines between 200 and 500kV would be Medium impact Facilities.

[x]
To make this clearer, you can say that in v1-3, you “classified” your assets
into just two types, Critical and non-Critical.
In v5, you classify them into four types: High, Medium, Low, and No
Impact (see footnote vi above for a discussion of what No impact means).

[xi]
So far I have just referred to lines as Facilities, but keep in mind that Facilities can include breakers, transformers, etc. You should consider all of these that have associated BCS as potential Medium impact Facilities.

[xii]
I’m hereby analogizing – with no small amount of chutzpah – my set of rules
that includes substations with Einstein’s General Theory of Relativity. My previous set of rules, that didn’t include
substations, was the equivalent of his Special Theory, which became a special
case of the General Theory. Hey, it’s my
blog. If I want to compare myself to
Einstein, I will.

[xiii]
Now as I write this sentence, I realize there is at least one exception to it,
having to do with Criterion 2.5. Since I
will wait to the follow-on post to discuss this, it seems these aren’t my final
set of rules after all. Hold the stone
tablets.

[xiv]
And yes, I know that I’ve promised at least three “follow-on” posts recently
that I have yet to deliver on. This is
different, though, since I won’t hold this post to be finished until I have
addressed the problem(s) raised by criteria 2.5 – 2.8. I want to produce my Final General Rule of
BES Cyber System Identification as soon as possible, so they can get to work on
those stone tablets.

2 comments:

Here's a question: In the military, If you have one piece of information it may not be classified, but as you add pieces it could become classified, such as you have time 2pm, then you have location 5th street then you have personnel all of a sudden you patched all the info together. So; apply that to this: if you have a few medium assets wouldn't the facility itself rise to High priorty? If the Facility goes down you lose multiple medium assets.

Louis, I certainly agree that it would be nice if there were a better way to determine the rating of a facility than the bright-line criteria. However, that is what is in the standard, and it's actually an improvement from before. As I've discussed in this post and others, applying the bright-line criteria is quite challenging in itself. Adding new "criteria" will make it more so, and risks making the whole thing completely unauditable.

Come to think of it, one could make the case that v5 is already unauditable...